- CERT/CC's advisory VU#213560 reports CVE-2026-11405 as a hidden backdoor in at least five Tenda router firmware builds that reportedly grants full admin access without valid credentials.
- According to CERT/CC, the backdoor is compiled directly into the firmware binary, meaning no owner-accessible setting can disable or remove it — only a vendor patch could fix it.
- Whether public proof-of-concept exploit code exists is disputed: The Cyber Wire, citing Rescana, says it does, while Dark Web Informer reported no PoC had been confirmed at its time of writing.
What Folks Are Hollerin' About
Well, grab your sweet tea and sit down, because CERT/CC — that's the U.S. government-affiliated vulnerability coordination outfit — published advisory VU#213560 on July 6, 2026, disclosing CVE-2026-11405. According to CERT/CC, this is an undocumented authentication backdoor tucked inside the firmware of multiple Tenda router models that reportedly hands over full administrative access to the web management interface without requiring a lick of valid credentials. The Hacker News, BleepingComputer, Security Affairs, and The Cyber Wire all picked up the story with consistent technical detail drawn straight from that advisory.
CERT/CC says the affected firmware builds cover five Tenda router models: the FH1201, W15E, AC10, AC5, and AC6 V2. If you own one of those fine pieces of networking hardware, well, according to CERT/CC, your front door might as well have a welcome mat that reads 'Come On In, Stranger.' Dark Web Informer goes a step further and suggests other Tenda models with shared code lineage deserve suspicion too — though no other major outlet has adopted that broader position, so take that with a grain of Alabama red-clay salt.
What CERT/CC Actually Says Is Happening Under the Hood
According to CERT/CC's advisory, corroborated by BleepingComputer and Security Affairs, the backdoor lives inside the login() function of the /bin/httpd web server binary. Here's how CERT/CC says this rascal works: normal MD5-based authentication runs first, and if that fails, the firmware goes fetchin' an alternate password stored under a configuration key called 'sys.rzadmin.password' and compares it in plaintext using a strcmp() call. Any username at all — could be 'BobTheMuleSkinner' for all it cares — will be accepted as long as it's paired with that backdoor password. It's like a padlock that opens for every key in the county once you wiggle the handle just right.
According to Security Affairs and TechTimes, the backdoor is compiled directly into the firmware binary itself, not into any configuration file that an owner could edit or reset. CERT/CC confirms this means no owner-accessible option can remove or disable the backdoor code path — only a vendor-issued firmware update rewriting that binary would do the job. CERT/CC also notes the vulnerability was discovered and reported to CERT/CC by an anonymous researcher, which is about as mysterious as a catfish turning up in a baptismal font.
According to CERT/CC, Tenda has not responded to disclosure efforts, and the vulnerability remains unpatched as of publication. BleepingComputer similarly reports that the issue remains unfixed. The Hacker News and The Cyber Wire confirm the same sorry state of affairs. Tenda has issued no public statement, so there is no vendor-side account to weigh here whatsoever.
What Ain't Been Nailed Down Yet
Now here's where the pig gets slippery. Whether public proof-of-concept exploit code is out there is a genuine dispute between sources. The Cyber Wire, citing Rescana, states that public proof-of-concept code is available. Dark Web Informer, on the other hand, reported that no proof-of-concept had been confirmed at the time of its writing. Those two claims are sitting in the same room giving each other the stink-eye, and readers should not treat either as settled.
Nobody has confirmed active exploitation of CVE-2026-11405 in the wild as of reporting time — that much is agreed upon across sources including Dark Web Informer. However, BleepingComputer assessed that the flaw is very likely to be targeted by botnets that focus on router vulnerabilities in the near term. That assessment is BleepingComputer's editorial judgment, not a confirmed observation of exploitation.
TechTimes raises the possibility that this could be intentional insertion rather than an accidental debug artifact, noting that researcher Craig Heffner documented a separate LAN-side backdoor in the Tenda W302R and W330R routers back in 2013, also in the httpd component. That historical reference comes only from TechTimes and has not been independently corroborated in this news cycle, so treat it as a single-outlet footnote rather than established context. CERT/CC and most other outlets frame CVE-2026-11405 as an undocumented mechanism without speculating on whether it was deliberate — and that question, frankly, cannot be resolved from public information.
What CERT/CC Suggests You Do Right Now
Since there ain't a patch coming anytime soon — on account of Tenda being as reachable as a screen door on a submarine — CERT/CC recommends that owners of affected devices immediately disable remote web management on the WAN side and change the default LAN IP address to reduce the odds that automated scanners sniff out the management interface. Security Affairs and The Cyber Wire both echo those mitigations. CERT/CC is explicit that these steps reduce opportunistic discovery but do not eliminate the backdoor code path, which remains baked into the binary regardless of what settings you toggle.
Editorial Analysis: What This Mess Might Actually Mean
This is analysis, not reporting. A hardcoded or compiled-in alternate authentication path in consumer router firmware is about as welcome as a raccoon in the pantry, and the fact that it lives in the httpd binary rather than in any user-editable configuration makes it especially gnarly — owners are genuinely stuck waiting on a vendor that has so far declined to pick up the phone. That posture, if it continues, leaves affected hardware permanently compromised for anyone who keeps running it.
The dispute over proof-of-concept availability matters practically: if working exploit code is already circulating, the window between disclosure and active botnet abuse narrows dramatically. BleepingComputer's assessment that botnets are likely to target this flaw is plausible given how enthusiastically automated scanners have historically chewed through disclosed router vulnerabilities, but it remains an assessment rather than observed fact. The prudent move, in this analyst's humble opinion, is to treat the risk as elevated and act on CERT/CC's mitigations immediately while considering whether continued use of affected hardware is worth the gamble.
Who is doing the hollering
These links show where the chatter came from. A link is attribution, not our endorsement or independent confirmation.
- VU#213560 - Tenda firmware (multiple versions) contains hidden authentication backdoorCERT/CC · primary
- Hidden backdoor in Tenda router firmware grants admin accessBleepingComputer · top tier
- CERT/CC Warns of Hidden Admin Backdoor in Tenda Router FirmwareThe Hacker News · top tier
- Hidden Tenda Router Backdoor Grants Admin Access, No Patch AvailableSecurity Affairs · specialist
- CERT/CC warns of an unpatched backdoor affecting Tenda routersThe Cyber Wire · specialist
- Tenda Firmware Backdoor Lets Anyone Log In as Admin Regardless of PasswordTechTimes · specialist
- When the Password Check Fails, You're In: The Hidden Admin Backdoor in Tenda Router Firmware (CVE-2026-11405)Dark Web Informer · specialist
Last checked Jul 8, 2026, 9:06 AM EDT. Talk Around Town: No patch exists and Tenda has not responded to CERT/CC. Whether the backdoor is intentional, a debug artifact, or something else cannot be determined from public information. At least one source claims public proof-of-concept code is available, while another states none had been confirmed — readers should treat exploitation risk as elevated but not yet confirmed in the wild.